2022-04-04 07:57:11 <ncopa> Ariadne: so there is a vulnerability in busybox? anywhere I can track if/where it gets a CVE?
2022-04-04 07:57:19 <Ariadne> CVE is assigned
2022-04-04 07:59:49 <ncopa> im googling but not finding it
2022-04-04 08:00:16 <Ariadne> its CVE-2022-28391
2022-04-04 08:05:53 <ncopa> thanks!
2022-04-04 08:10:13 <Ariadne> i'll do the backports in a little bit, edge is already got the hotfix
2022-04-04 08:11:09 <ncopa> i saw it. woudl be nice to have the CVE mentioned in the commit messages in the backports
2022-04-04 08:11:15 <ncopa> thank you for working on it
2022-04-04 08:11:46 <ncopa> i guess we should tag new releases later today or tomorrow then
2022-04-04 08:11:56 <ncopa> before the scanners start bug us
2022-04-04 09:13:53 <Ariadne> thats why i went and got the CVE *now*, so we can do this on our terms
2022-04-04 09:13:56 <Ariadne> :)
2022-04-04 10:31:21 <Ariadne> ncopa: all done with the backports
2022-04-04 11:10:01 <ncopa> thank you!
2022-04-06 15:29:10 <ncopa> Ariadne: I'm refactoring our busybox ssl_client to use openssl directly, without libretls. I wonder if you would like to have a quick review of it?
2022-04-06 15:29:26 <Ariadne> why ?
2022-04-06 15:29:46 <Ariadne> i'd prefer to stick with libtls so we can start to remove openssl from alpine base :P
2022-04-06 15:30:05 <Ariadne> but i'm willing to do a review
2022-04-06 15:30:27 <ncopa> last time I missed libretls when doing openssl CVE, which resulted in me having to do a release a few days after the firs
2022-04-06 15:30:38 <ncopa> we get rid of libretls in the base image
2022-04-06 15:33:08 <ncopa> let me see if I can publish it somewhere. i have verified that it handles same badssl.com stuff as current ssl_client
2022-04-06 15:40:09 <ncopa> here we go: https://github.com/ncopa/ssl_client/blob/main/ssl_client.c
2022-04-06 15:40:29 <ncopa> i understand why people hate the openssl API ...
2022-04-06 15:42:25 <psykose> that certainly looks like code
2022-04-06 15:42:33 <psykose> it is definitely a program that has been written
2022-04-06 16:03:36 <Ariadne> looks ok to me
2022-04-07 06:24:31 <ncopa> thank you
2022-04-08 14:57:28 <psykose> seems there's a gz/xz vuln.. !32914
2022-04-08 14:57:50 <psykose> https://www.openwall.com/lists/oss-security/2022/04/07/8
2022-04-08 14:58:28 <psykose> https://lists.gnu.org/r/bug-gzip/2022-04/msg00011.html
2022-04-08 14:58:29 <psykose> fun
2022-04-08 15:30:22 <psykose> !32932 !32933 !32935 !32936 !32937
2022-04-08 15:30:56 <psykose> !32941 !32914 !32934 !32938 !32939
2022-04-13 07:33:36 <ncopa> go 1.18.1 https://groups.google.com/g/golang-announce/c/oecdBNLOml8
2022-04-13 10:56:31 <omni> !33173
2022-04-13 13:09:26 <psykose> ah, this go should fix the ppc issues
2022-04-13 22:01:18 <omni> I think someone else need to take over !33190
2022-04-14 20:08:45 <ikke> https://gitlab.alpinelinux.org/alpine/aports/-/issues/13699 :)
2022-04-14 22:00:15 <psykose> : )
2022-04-15 10:50:44 <omni> there doesn't seem to be a Xen 4.13.5 release (yet), so perhaps we need to patch ourselves for 3.12-stable?
2022-04-15 11:03:19 <ncopa> probably yes
2022-04-15 11:03:25 <ncopa> they often ship patches upstream
2022-04-15 11:04:32 <omni> I can't look at it now, as I need to leave, but I'll spam these !33263 !33265 !33266 !33268
2022-04-16 22:35:14 <omni> there are a few patches here http://xenbits.xen.org/gitweb/?p=xen.git;a=log;h=refs/heads/stable-4.13 for the version that is packaged in 3.12
2022-04-16 22:35:44 <omni> I found that I'm too tired to get anywhere with it now
2022-04-16 22:42:50 <psykose> i assume they will release a 4.13.5 at some point
2022-04-17 02:28:21 <Ariadne> with 3.12 being near EOL i think we can leave it
2022-04-17 05:36:24 <omni> https://xenbits.xen.org/gitweb/?p=xen.git;a=blob;f=SUPPORT.md;h=3f4a01101e53ae08a33563f246419cc2c06c4d36;hb=refs/heads/stable-4.13
2022-04-17 05:36:58 <omni> but I asked in #xen and they didn't seem sure there would be a 4.13.5 release still
2022-04-17 05:57:40 <psykose> which are the specific commit from that branch that are needed
2022-04-17 19:12:51 <omni> I began going through them yesterday and might submit an MR later
2022-04-17 19:13:43 <omni> our package contain three post 4.13.4 xsa commits/patches, but there are a few additional
2022-04-19 12:25:48 <ncopa> https://gitlab.alpinelinux.org/alpine/alpine-conf/-/issues/10507
2022-04-19 12:26:00 <ncopa> not sure if we consider it a security problem
2022-04-20 02:31:33 <Ariadne> have been working on a security scanner for our go/rust packages
2022-04-20 02:31:37 <Ariadne> since static dependencies
2022-04-20 08:16:35 <ncopa> awesome
2022-04-20 19:32:56 <Foxboron> Ariadne: was there any work to standardize the alpine/apk purl format?
2022-04-20 19:33:10 <Ariadne> no
2022-04-20 19:33:38 <Foxboron> syft has an invented format for alpine. I started working on some Arch support and wanted to try standardize things for us
2022-04-20 19:36:06 <Ariadne> apko uses pkg://apk/[ecosystem]/[package]-[version]?...
2022-04-20 19:37:11 <Foxboron> syft uses pkg:alpine/pkg-2@7.3.1?arch=x86_64&upstream=apk-origin@9.1.3&distro=alpine-3.10.9 :p
2022-04-20 19:37:51 <Foxboron> But okay, then the apko format matches what I assumed would be proper
2022-04-20 19:38:19 <Foxboron> Ariadne: I can write up the pr to include this in the spec if you want? It's not a lot of effort
2022-04-20 19:38:44 <Ariadne> syft is wrong :)
2022-04-20 21:32:10 <omni> I opened !33442
2022-04-20 21:32:37 <omni> but I'm tempted to just make one huge .patch from all commits since 4.13.4 release
2022-04-20 21:32:47 <omni> that would apply cleanly
2022-04-20 21:33:13 <omni> b4bb02d5999a56c93f0733b589b717e7cece9c09^..fe97133b5deef58bd1422f4d87821131c66b1d0e
2022-04-20 21:33:48 <omni> but, again, I'm too tired to continue with this
2022-04-20 21:42:07 <omni> would want someone to take a closer look at it either way
2022-04-21 12:21:59 <ikke> 3 CVEs announced for the curl release next week
2022-04-21 12:23:07 <psykose> do they make old i.e. 7.79 releases too or will i have to find the commits :p
2022-04-21 12:23:20 <ikke> Most likely the latter
2022-04-21 12:23:23 <psykose> sure
2022-04-21 12:23:32 <ikke> curl isn't known to backport these kinds of things
2022-04-21 16:36:48 <Ariadne> i can ask badger
2022-04-21 16:36:52 <Ariadne> bagder*
2022-04-21 16:39:04 <psykose> if each three has cleanly applying patches i don't mind either way
2022-04-21 18:51:28 <omni> mushroom murshoom
2022-04-21 18:55:41 <psykose> mushie
2022-04-21 20:04:26 <omni> how about this last commit? !33442
2022-04-21 20:05:09 <psykose> i prefer the many-files one, but i don't actually know if it's a good fix or not
2022-04-21 20:06:40 <omni> then I need to dig more into what commit(s) were missing, or one patch file per commit since 3.14.3 release
2022-04-21 20:07:25 <omni> 4.13.4*
2022-04-21 20:09:13 <omni> with this one file for everything since 4.13.4 release you'd "just" remove it if there were to be a 4.13.5 release before 220501 (v3.12 EoL)
2022-04-21 20:17:46 <omni> I think this is the best I can do, since what the patches actually do is a bit beyond me
2022-04-21 20:19:34 <psykose> they certainly either break or fix things
2022-04-22 09:21:31 <omni> it's mainly out of principle that I want it to be patched before v3.12 EoL, I don't use it myself
2022-04-22 09:50:28 <omni> I squashed the commits and updated the commit message, including the command I used to create the patch file to easily reproduce it
2022-04-22 09:51:11 <omni> ncopa: what do you think?
2022-04-22 09:57:28 <ncopa> omni: LGMT. thank you!
2022-04-25 13:47:33 <omni> ncopa: would !33442 go in before 3.12 EoL then? =)
2022-04-25 13:57:11 <ncopa> omni: will try. thanks!
2022-04-25 14:29:33 <omni> ^____^
2022-04-27 08:04:30 <omni> https://github.com/protocolbuffers/protobuf/security/advisories/GHSA-wrvw-hg22-4m67
2022-04-27 08:08:22 <ikke> https://pkgs.alpinelinux.org/packages?name=ruby-google-protobuf&branch=edge
2022-04-29 15:20:22 <omni> ncopa: !33751